Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-502

x.509 broken due to deprecated CertificateAuthenticator

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.6.0, 2.5.1
    • Fix Version/s: 2.7.0, 2.6.1
    • Component/s: SyncGateway
    • Security Level: Public
    • Sprint:
      CBG Sprint 30
    • Story Points:
      1

      Description

      Background

      GoCB deprecated CertificateAuthenticator in GOCBC-304 - which should've been backwards compatible. However, another commit causes a runtime error when the old struct is used.

      // CertificateAuthenticator is included for backwards compatibility only.
      // Deprecated: Use CertAuthenticator instead.
      type CertificateAuthenticator struct {
         CertAuthenticator
      }

      _, ok := auth.(CertAuthenticator)
      if !ok {
         return nil, ErrMixedCertAuthentication
      }

      Fix

      • We should update our cluster.Authenticate(gocb.CertificateAuthenticator{}) call to use the new struct instead to fix this.

      Testing

      • We should also try to get some sort of test coverage that would've caught this runtime error, even if we can't easily get a full end-to-end x.509 integration test.
        Perhaps an untrusted client cert would be sufficient enough to test that we can attempt to authenticate with the cluster.

        Attachments

        1. 192.168.0.145_node.zip
          3.42 MB
        2. certs.zip
          21 kB
        3. sgcollect_info_with_use_views.zip
          12.52 MB
        4. sgcollect_info.zip
          12.46 MB

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

            Hide
            build-team Couchbase Build Team added a comment -

            Build sync_gateway-2.7.0-25 contains sync_gateway commit d6bd3fe with commit message:
            CBG-502 - Fix x.509 by switching to use gocb.CertAuthenticator (#4228)

            Show
            build-team Couchbase Build Team added a comment - Build sync_gateway-2.7.0-25 contains sync_gateway commit d6bd3fe with commit message: CBG-502 - Fix x.509 by switching to use gocb.CertAuthenticator (#4228)
            Hide
            hemant.rajput Hemant Rajput added a comment - - edited

            I tried to connect CBS 6.5.0-4169 with SG-2.7.0-25 with x509 cert authentication, but SG is not able to start with x509 cert SG config

            sgcollect_info.zip

            Show
            hemant.rajput Hemant Rajput added a comment - - edited I tried to connect CBS 6.5.0-4169 with SG-2.7.0-25 with x509 cert authentication, but SG is not able to start with x509 cert SG config sgcollect_info.zip
            Hide
            hemant.rajput Hemant Rajput added a comment - - edited

            I retried again with use_views=true, as suggested by Adam. I was able to successfully provision cluster with x509 authentication and ran replication test as well. Test is also passing.

             

            Adam suggested that the earlier case may have failed due to misconfiguration for query service with respect to x509 or ssl. I would need some help in identifying the issue, so please provide some reference to check the configuration.

             

            I'm attaching sg_collect, certificates and cb_collect for the reference.

            sgcollect_info_with_use_views.zip

            certs.zip

            192.168.0.145_node.zip

            Show
            hemant.rajput Hemant Rajput added a comment - - edited I retried again with use_views=true, as suggested by Adam. I was able to successfully provision cluster with x509 authentication and ran replication test as well. Test is also passing.   Adam suggested that the earlier case may have failed due to misconfiguration for query service with respect to x509 or ssl. I would need some help in identifying the issue, so please provide some reference to check the configuration.   I'm attaching sg_collect, certificates and cb_collect for the reference. sgcollect_info_with_use_views.zip certs.zip 192.168.0.145_node.zip
            Hide
            hemant.rajput Hemant Rajput added a comment -

            So, I was finally able figure out the issue with having x509 auth with GSI. Basically, when I ran the test with GSI enable, certificate didn't installed because of the clock sync issue between my job slave and machine on which Couchbase server was installed. After fixing the clock sync issue on test machine, I was successfully provision the CBS and SG cluster with x509 auth.

             

            Ben Brooks, I'm done with the testing for x509. You can close the ticket if nothing is pending here.

            Show
            hemant.rajput Hemant Rajput added a comment - So, I was finally able figure out the issue with having x509 auth with GSI. Basically, when I ran the test with GSI enable, certificate didn't installed because of the clock sync issue between my job slave and machine on which Couchbase server was installed. After fixing the clock sync issue on test machine, I was successfully provision the CBS and SG cluster with x509 auth.   Ben Brooks , I'm done with the testing for x509. You can close the ticket if nothing is pending here.
            Hide
            ben.brooks Ben Brooks added a comment -

            Thanks for confirming Hemant Rajput!

            Show
            ben.brooks Ben Brooks added a comment - Thanks for confirming Hemant Rajput !

              People

              Assignee:
              ben.brooks Ben Brooks
              Reporter:
              ben.brooks Ben Brooks
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes

                    PagerDuty